Cisco Integrated Management Controller Privilege Escalation Vulnerability
TL;DR π
- A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges. This vulnerability is due to insufficient restrictions on access to internal services. An attacker with a valid user account could exploit thisβ¦
- No fixed release listed yet; apply mitigations and monitor.
- Workarounds are documented in the advisory.
- CVEs: CVE-2025-20261.
What happened π΅οΈββοΈ
A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges.
This vulnerability is due to insufficient restrictions on access to internal services. An attacker with a valid user account could exploit this vulnerability by using crafted syntax when connecting to the Cisco IMC of an affected device through SSH. A successful exploit could allow the attacker to access internal services with elevated privileges, which may allow unauthorized modifications to the system, including the possibility of creating new administrator accounts on the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability, but a mitigation is available.
Affected products π₯οΈ
This vulnerability affects the following Cisco products if they are running a vulnerable software release and they accept incoming SSH connections to the Cisco IMC:
UCS B-Series Blade Servers (CSCwk24502 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk24502”]) UCS C-Series Rack Servers (CSCwc06871 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc06871”]) UCS S-Series Storage Servers (CSCwc06871 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc06871”]) UCS X-Series Modular System (CSCwk24502 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk24502”])
Note: Cisco UCS C-Series and UCS S-Series Servers in standalone mode accept incoming SSH connections by default. For additional details, see the Configuring SSH section of the Cisco UCS C-Series Integrated Management Controller GUI Configuration Guide [“https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/gui/config/guide/4_3/b_cisco_ucs_c-series_gui_configuration_guide_43/b_Cisco_UCS_C-series_GUI_Configuration_Guide_41_chapter_01101.html#task_083E4199DCF1404486FC1C6F958CBE8C”]. Cisco UCS B-Series, Managed UCS C-Series, Managed UCS S-Series, and UCS X-Series Servers accept incoming SSH connections only if a Serial over LAN (SoL) policy is enabled on the associated Service Profile. For additional details, see the Serial over LAN Policy Settings section of the Cisco UCS Manager Server Management Guide [“https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Server-Mgmt/4-3/b_cisco_ucs_manager_server_mgmt_guide_4_3/m_server-related_policy_configuration.html#d21614e28464a1635”].
Cisco appliances that are based on a preconfigured version of a Cisco UCS C-Series Server are also affected by this vulnerability if they expose SSH access to the Cisco IMC. At the time of publication, this included the following Cisco products:
Application Policy Infrastructure Controller (APIC) Servers Business Edition 6000 and 7000 Appliances Catalyst Center Appliances, formerly DNA Center Cisco Telemetry Broker Appliance Cloud Services Platform (CSP) 5000 Series Common Services Platform Collector (CSPC) Appliances Connected Mobile Experiences (CMX) Appliances Connected Safety and Security UCS Platform Series Servers Cyber Vision Center Appliances Expressway Series Appliances HyperFlex Edge Nodes HyperFlex Nodes IEC6400 Edge Compute Appliances IOS XRv 9000 Appliances Meeting Server 1000 Appliances Nexus Dashboard Appliances Prime Infrastructure Appliances Prime Network Registrar Jumpstart Appliances Secure Endpoint Private Cloud Appliances Secure Firewall Management Center Appliances, formerly Firepower Management Center Secure Malware Analytics Appliances Secure Network Analytics Appliances Secure Network Server Appliances Secure Workload Servers
For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.
Fixed software π§
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 4.1 | 4.1(3n) | |
| 4.2 | 4.2(3k) | |
| 4.3 | 4.3(4c) | |
| 4.2 | 4.2(3i) | |
| 5.1 | Migrate to a fixed release. | |
| 5.2 | 5.2(2.240073) | |
| 5.3 | Not vulnerable. | |
| 5.4 | Not vulnerable. | |
| 5.0 | 5.0(4f) | |
| 4.2 | 4.2(2f), 4.2(3b) | |
| 4.3 | Not vulnerable. | |
| 4.2 | 4.2(2c), 4.2(3b) | |
| 1.0 | Initial public release. |
Workarounds π§―
There are no workarounds that address this vulnerability. However, there is a mitigation.
If it is not required, SSH access to the Cisco IMC of an affected device may be disabled.
For Cisco UCS C-Series and UCS S-Series Servers in standalone mode, choose Admin > Communication Services on the Cisco IMC web UI and uncheck the SSH Enabled option.
For Cisco UCS B-Series, Managed UCS C-Series, Managed UCS S-Series, and UCS X-Series Servers, disable the Serial over LAN (SoL) policy on the associated Service Profile (SoL access is disabled by default). From the Servers section of the Cisco UCS Manager web UI, do the following:
Choose the Service Profile in question. Click the Change Serial over LAN Policy link under Actions in the Policies tab. Choose the No Serial over LAN Policy option. Click OK.
Alternatively, edit the applied Serial Over LAN Policy under Policies > Serial Over LAN Policies and change the Serial over LAN State property from Enable to Disable. This would disable SoL access for all the Service Profiles that are using the SoL policy in question.
While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Risk in context π―
Use vendor CVSS for prioritization. Consider exposure and asset criticality.
Fast facts β‘
- Advisory: cisco-sa-ucs-ssh-priv-esc-2mZDtdjM
- Initial release: 2025-06-04T16:00:00 UTC
- Last updated: 2025-06-04T16:00:00 UTC
For leadership π§
Executive summary. Risk is High (CVSS 8.8) for Cisco, Cisco Unified Computing System (Managed). Vendor fixes are available; prioritize upgrade within 7 days based on environment risk.
Why it matters (exposure drivers):
- Potential service impact and security exposure depend on deployment topology and access paths.
- Treat internet-exposed or multi-tenant management nodes as higher risk.
- Ensure monitoring for abnormal auth/config events until upgrades complete.
Remediation & timing:
- Upgrade to the first fixed release per the table above; schedule an approved change window within 7 days.
- Change risk: low-to-moderate (standard vendor patch). Validate backups and rollback plan.
Now / Next / Later:
- Now: Confirm exposure, identify affected versions, and enable monitoring/alerts.
- Next: Patch according to the fixed software table; verify service health post-change.
- Later: Add control checks to build pipeline/CMDB to block drift to vulnerable trains.